Solvency II Obligations for the Internal Audit Function

Susan YoungHead of Risk ManagementR&Q Managing Agency Limited 26th June 2013

IACON 2013

Disclaimer

The opinions expressed in this presentation are my own and do not representthose of my organisation

Feel free to share yours

Session Outline

• Obligations of Internal Audit - what do the SII Framework Directive and Level 2 Guidance say –a recap

• The effect of– Solvency II upon Risk Mitigation– Resourcing

• Going Forwards – Present and Expected future Developments

• Broker Market - SII Implications

• Dealing with the expected regulatory focus on the first and second lines of defence

• How can Internal Audit add value in the context of its new and evolving obligations?

• Summary and Conclusion

Obligations of Internal Audit - what does the SIIFramework Directive say –a recap

• Insurance and Reinsurance Undertakings shall provide for an effective Internal Audit Function

• The Internal Audit Function shall include an evaluation of the adequacy and effectiveness of the internalcontrol system and other elements of the System of Governance

• The Internal Audit Function shall be objective and independent from the operational functions

• Any findings and recommendations of the Internal Audit Function shall be reported to the administrativemanagement or supervisory body which shall determine what actions are to be taken with respect toeach of the internal audit findings and recommendations, and shall ensure those actions are carried out

(Section 2 Article 47 – Internal Audit – The “what”)

So nothing really new in substance

Obligations of Internal Audit - what does theLevel 2 Guidance say - a recap

• To ensure its independence from the organisational activities audited, the Internal Audit Function shall carry out itsassignments with impartiality. The Internal Audit Function shall be able to exercise its assignments on its own initiative inall areas of the undertaking, It shall be free to express its opinions and to disclose its findings and its appraisals to thewhole administrative management or supervisory body

• The Internal Audit Function shall have the complete and unrestricted right to obtain information which includes the promptprovision of all necessary information, the availability of all documentation and the ability to look into all activities andprocesses of the undertaking, relevant for the discharge of its responsibilities, as required, in the performance of its tasks, aswell as having direct communication with any member of the undertaking’s staff

• To ensure the effectiveness of the Internal Audit Function, every activity and every unit of the undertaking shall fall withinits scope. The function shall draw up an audit plan to determine its future auditing actions, taking a risk based approach indeciding its priorities

• The Internal Audit Function shall at least annually produce a written report on its findings to be submitted to theadministrative, management and supervisory body. The report should cover at least any deficiencies of the internal controlsystem, as well as any major shortcomings with regard to the compliance with internal policies, procedures and processes. Itshall include recommendations on how to remedy inadequacies and also specifically address how past points of criticismand past recommendations have been implemented

(CEIOPS Doc 29/09 Level 2 Implementing Measures – the “how”)

A compelling mandate – we will look at some of the practicalities later

The Effect of Solvency II on:-

• Risk Mitigation

– Risk Management and mitigation are firmly under the spotlight

– Risk and Capital Management are much more closely aligned

– The better the risk mitigation, the lower the residual risk assessment

– Risk Management as a function is subject to Internal Audit (previous slide)

– Greater emphasis and visibility

Risk Mitigation is key – and it has to be seen to be working

The Effect of Solvency II on:-

• Resourcing

– Internal Audit considerations revolve around;-

• Is existing resource sufficient?

• Do we have the appropriate skills in the existing in house team, particularly for SIIspecific activity

• Should we outsource some or all of our effort (allowed under SII, provided);-

• If we do, who in the organisation is sufficiently independent to provide theappropriate oversight?

• How best do we deliver value for money?SII adds a further dimension in this regard

Going forwards – Recent and Expected FutureDevelopments

• Julian Adams of the FSA stated in October 2012, that the implementation date of 1/1/14 was “no longerachievable”

• Solvency II implementation is delayed, but the revised timetable remains uncertain

• The current working assumption is that Solvency II is coming – possibly from 1/1/2016 - although exactlywhen is uncertain

• The new Prudential Regulatory Authority advocates “ICAS Plus” transitional measures

• EIOPA is currently applying “interim measures” published in 27th March 2013 for consultation

• The Lloyd’s Market in 2013 is adopting a “soft landing” (i.e. not putting things completely on hold) –meaning full compliance is not expected in the Lloyd’s Market

• The uncertainty has evidently led in some quarters to a loss of focus

Continued….

• EIOPA “interim measures” published in March provide a draft mandate for local regulators to developtheir own national solutions in the context of uncertainties around the timetable

• For Internal Audit specifically, issues to be addressed include those highlighted in the Level 2 guidance,namely ; -

– Independence– Internal Audit Policy– Internal Audit Plan– Dealing with findings and recommendations– Annual Report to the Board

• Time spent getting these fundamental elements in place is be time well spent

The mandate SII has provided second and third line of defence functions with cannot be disregarded andimpetus should remain

Going forwards – Recent and Expected FutureDevelopments

Broker Market – Solvency II implications

• “Solvency II only applies to risk carriers right?” Wrong!

• Brokers and intermediaries are key providers of risk data, advice to underwriters, and in some cases,underwrite directly for customers

• Furthermore, the FSA Retail Conduct Risk outlook for 2012 highlighted the need for brokers to assess theirown business model, TCF procedures and reduce the risk of misselling

• Data quality/completeness/integrity is a key component of Solvency II requirements

• There is an impetus on brokers to improve their data capture/analysis and their own risk managementcapabilities

• Data is a key input into risk carriers’ internal models for assessing regulatory capital

• Internal Audit can (and in the case of Lloyd’s Managing Agents has) conduct an audit of data feeding theinternal model and assessing its fitness for purpose

Remember this element in your planning

Dealing with the expected regulatory focus onthe first and second lines of defence

RiskManagement

Board ofDirectors

SECOND LINEDirect

AssuranceCompliance,

Actuarial, Legaletc

THIRD LINEIndependent

Assurance(Internal

/External Audit,IndependentReview etc)

FIRST LINEThe Business

(Risk andControl Owners)

The “virtual team” in a SII world

• Regulatory focus on second line of defence in the following areas in particular– Risk Management– Actuarial– Compliance

• Internal Audit is the 4th of the key functions in Systems of Governance under Solvency II – but of course is the third line ofdefence

• The previous slide shows Risk Management at the hub of the “virtual team” and is more holistic in the new SII world thanjust the Risk Management team, encompassing elements of both the first and third lines

• Responsibilities of Risk Management and Actuarial in particular are considerable

• Internal Audit should recognise this and is well placed (more of that later) to provide assurance that the first and secondlines are on track

• 2012 and beyond, up to implementation – Internal Audit A was/is/will be expected to provide assurance that SIIpreparedness, ongoing migration to Business as Usual, and readiness in that regard are geared up to deliver Solvency IICompliance

Internal Audit is very much part of the virtual team notwithstanding its need to be independent

Dealing with the expected regulatory focus onthe first/second lines of defence – the “stick”

How can Internal Audit add value in thecontext of its new obligations – the “carrot”• Solvency II is a significant, but by no means the only mandate – the new PRA/FCA regulatory

regime/volatility in the financial markets generally and the resulting spotlight on Risk Management

• Risk Management is on the radar need for an independent assessment of it. How?

• Improve focus– Does you Audit Plan address what it should – or what it can?– Are you adopting a true risk based approach?– Are you working with the second line in the spirit of the “virtual team”?

• Redefine Stakeholders– Are they all defined, particularly the external ones?– Does your reporting line support your required independence?. If not, what are you going to do

about it?

• Structure capabilities– Strategic mind-set– Risk Management Function itself needs scrutinyContinued…..

How can Internal Audit add value in thecontext of its new obligations?

• Internal Audit has a clear mandate under SII –harness it

• Mandate for good practice – supports, and is supported by, IIA Guidelines

• Lloyd’s recognises this and in the interests of maintaining impetus, are asking all Lloyd’s Managing Agentsto ask their Internal Audit functions to perform a review of overall SII readiness in 2013/14

• Non Lloyd’s – lead the charge

You have an opportunity - grasp the nettle

Summary and Conclusion

• Internal audit obligations under SII are clear

• Implementation date less so but preparations should continue

• Resourcing implications are considerable – don’t underestimate them

• Risk data from intermediaries and other sources is a key element to consider

• Internal Audit is a key function in the System of Governance under SII

• Internal Audit if properly positioned can add great value

Take control of your destiny!

And finally….

If you want the best sports car – one that will get you round the track fastest….

You don’t economise on the brakes!

Food for thought

And finally…….really:-

Thank you for listeningAny questions?

DDI +44 (0) 20 7780 5882Susan.young@rqih.com

www.rqih.com